# Cloudflare WAF [[Cloudflare]] WAF (Web Application Firewall) inspects HTTP requests at the edge before they reach the origin and blocks or challenges those matching attack patterns — SQL injection, XSS, RCE, CMS-specific exploits, credential stuffing, scrapers, bots, and the OWASP Top 10. WAF runs across Cloudflare's entire network: any site that points DNS at Cloudflare can opt into rule sets without changing origin code. Rules are evaluated per request in microseconds. ## Why It Matters Self-managed WAFs (ModSecurity, AWS WAF, F5) require continuous rule tuning and false-positive triage. Cloudflare ships and maintains managed rule sets — CVE-driven, updated within hours of new disclosures — and lets you write custom rules in a SQL-like expression language. For most sites, "turn it on, watch logs for a week, tune exceptions" is the entire engagement. ## Core Capabilities - **Managed Rules**: Cloudflare-curated rule sets (Cloudflare Managed, OWASP Core, exposed credential check) - **Custom Rules**: WireFilter expression language (`http.host eq "x" and ip.geoip.country eq "FR"`) - **Rate Limiting**: per-IP, per-token, per-URL request budgets - **Bot Management**: ML-driven bot scoring, separately licensed - **API Shield**: schema validation, JWT verification, mTLS ## Common Use Cases - **OWASP Top 10 mitigation** with one click - **Geo-blocking** or geo-allowlisting - **Rate-limiting** login endpoints to slow credential stuffing - **Blocking** specific user agents, ASNs, JA4 fingerprints - **WordPress/Drupal hardening** via CMS-specific rule sets ## References - WAF home: https://www.cloudflare.com/application-services/products/waf/ - Documentation: https://developers.cloudflare.com/waf/ - WireFilter language: https://developers.cloudflare.com/ruleset-engine/rules-language/ ## Related - [[Cloudflare]] - [[Cloudflare Tunnel]] - [[Cloudflare Access and Zero Trust]] - [[Cloudflare Workers]]